A CISO’s Guide to Application Security

Building the case for increased investment in organizational

application security

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

Table of Contents

Introduction .................................................................................................................................................................1

The Growing Threat to Applications ...........................................................................................................................1

Toward an Application Security Center of Excellence ................................................................................................4

The Ad Hoc Stage ...................................................................................................................................................4

The Baseline Program ............................................................................................................................................4

The Advanced Program – an Application Security “Center of Excellence” ............................................................5

Justifying an Investment in Application Security ........................................................................................................6

The Case for Application Security: Conclusion ..........................................................................................................8

Learn More .................................................................................................................................................................8

Works Cited ................................................................................................................................................................9

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

1

Introduction

The past few years have seen a massive increase in both the number and severity of threats facing applications.

With these new threats comes a serious increase in the amount of pressure being put on Chief Information

Security Officers (CISO) and their IT security teams to protect this gateway to sensitive company and customer

data. However, making a case for increased investment in application security can be a seemingly daunting task.

This paper will provide CISOs and their security teams with guidance for justifying application security investment

as well as recommendations for how they can build their efforts into advanced application security programs.

The Growing Threat to Applications

IT security professionals are well aware of the kinds of external threats targeting their organizations. Data

breaches from cyber attackers are the single biggest threat to enterprise security today. The quantity and

frequency of hacks, attacks and malware are only growing – and well-documented (see Figure 1 below). To

mitigate this threat, organizations must secure all three fundamental access points to their digital data: the

network, the hardware… and the software that supports their business operations.

Figure 1: Graph with data from the 2012 Verizon Data Breach Investigations Report showing distribution of threat agents over time by percentage of breaches

2

Existing security measures create a false sense of security. Most enterprises have widely adopted IT security

tools such as firewalls and intrusion detection to protect their networks as well as antivirus, access control and

physical security measures to secure their hardware. However, what many businesses still lack is adequate

investment in the protection of their critical software. Simply put, software applications are the most vulnerable

entry point for attacks targeting an organization’s sensitive, protected or confidential data. If a company's network

and hardware infrastructure can be called the “back door” to hacktivists, spies and fraudsters, then business

software should be called the front door.

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

2

Professional hackers and cyber criminals know how to exploit the weakest link in an organization’s IT

infrastructure – vulnerabilities in applications – to get to valuable data. Consider these sobering statistics:

90% of companies have been breached at least once by hackers over the past 12 months1

855 data breaches in 2011 lost 174 million records, the second highest volume of data stolen since 20042

54% of attacks on large organizations exploit web application vulnerabilities, while hacking was

responsible for 81% of compromised records2

For all organizations that reported the source of breach incidents in 2011, 40% were traced to application

security issues3

The National Vulnerability Database – the U.S. government’s repository of standards based vulnerability

management data – publishes at a rate of 13 new vulnerabilities each and every day4

The costs of a single data breach are daunting: $194 per compromised record, or an average $5.5M per

incident5

Data breaches can hammer a company’s valuation – Global Payments stock dropped 9% in March 2012

after it was reported that they were being investigated because of a data breach that affected firms

including Visa and MasterCard6

Companies spend just 0.3% of what they pay for software on ensuring that it is secure7

54% of incidents investigated in the 2012 Verizon Data Breach Investigations Report took months to be

discovered by their victims (see Figure 2 below)2

Figure 2: Chart with data from the 2012 Verizon Data Breach Investigations Report showing the span of time from when a company’s first asset is negatively affected to the moment when the victim learns of the incident

2

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

3

Alarmed by the potential for widespread social and commercial damage, government and industry regulatory

bodies have been strengthening their mandates in the area of application security. Many organizations are now

required by laws and regulations to address the risk posed by their applications, and perform scheduled risk

assessments and compliance audits. Some of the regulations which specifically require data privacy and security

include:

Payment Card Industry (PCI) Security Standards Council monitors compliance of any business accepting

electronic payments

The Federal Information Security Management Act (FISMA) requires federal government agencies to

provide information security for their operations and assets

Federal Financial Institutions Examination Council (FFIEC) is an interagency body of the United States

government empowered to secure the online banking and financial service industry

The Health Insurance Portability and Accountability Act (HIPAA) governs the security and privacy of

health data such as patient records in the healthcare industry

The Gramm-Leach-Bliley Act (GLBA) governs the collection, protection and disclosure of customers’

personal financial information

The Monetary Authority of Singapore (MAS) recently updated their Technology Risk Management

Guidelines to include quarterly assessments for application vulnerabilities as a best practice which

financial institutions are expected to adopt

Private contractual mandates: many organizations are contractually obligating their partners to assure

security as well.

Software is everywhere. It is increasingly accessible to attack, and the opportunities to exploit its weaknesses are

plentiful and painless for those intent on doing so. Applications are the new entry point to steal critical business

data — and the resulting attacks have proven profitable for cyber criminals. Network- and hardware-based

security have both proven ineffective against many of today’s threats. It is time for increased investment in

application security to protect the software that runs modern businesses.

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

4

Toward an Application Security Center of Excellence

When undertaken correctly, application security takes a systematic, programmatic approach to hardening

business-critical software, from the inside. That’s not to say that organizations must over-invest in an advanced

program from the start to be effective – in fact, quite the

opposite.

It is easy for organizations of any size to get started with

application security. In fact, there is a well-established

evolutionary curve that practitioners follow as they progress

and mature their processes, technology, and indeed their

teams as well. The simplest framework to establish programs

and policies addresses (and continuously improves) these

basic steps: identification of vulnerabilities, assessment of

risk, fixing flaws, learning from mistakes, and better managing

future development.

The application security market has reached sufficient maturity to allow IT management to follow a well-

established series of actions to build and scale a program. While the actual progression is more fluid and may

contain multiple phases, application security can generally be viewed in three primary stages: Ad-hoc, Baseline

Program and Advanced Program.

The Ad Hoc Stage

Construction – Initial investment in reactive technologies such as Intrusion Detection Systems and Web

Application Firewalls that block active, incoming attacks

Testing – Software development teams typically start with periodic manual penetration (PEN) testing, but

progress rapidly to automated static testing (SAST) of software still in development, then to dynamic

testing (DAST) of production applications

Remediation – Basic triage of test results to fix only the most egregious software flaws, in priority order

Reporting – Externally driven by industry-specific compliance bodies, according to audit requirements

Policy – No formal policies, reactive

Portfolio coverage – Protect only internally developed software to start, but complete an application

inventory

The Baseline Program

Construction – Initiate investment in basic software developer training, plus add threat modeling and

ongoing threat intelligence to anticipate specific attacks, understand harmful impacts, and define

countermeasures in advance

“Companies can put all of the other cybersecurity controls

in place but if there are application weaknesses, hackers

have the will and time to find and exploit them. The issue

simply cannot be neglected anymore.”

Chris Wysopal

Chief Information Security Officer and Co-Founder

Read the full press release at: http://www.veracode.com/content/view/1884/38

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

5

Testing – Combine PEN, SAST and DAST into a hybrid testing regimen

Remediation – Track progress in an Integrated Development Environment, including a flaw repository

with role-based access and validation of bug fixes

Reporting – Software teams earn formal certification in secure development techniques

Policy – Defined, according to a Software Development LifeCycle (SDLC) model, with proactive

monitoring and incident response

Portfolio coverage – Extends to third-party applications, such as commercial vendor, open source and

outsourced development

The Advanced Program – an Application Security “Center of Excellence”

Construction – Include secure architecture and design practices protecting all applications, with

accountability across security, operations and development teams

Testing – Continual process improvement of testing regimens

Remediation – Integrate training into development processes, including software change management

and scheduled “security gates” for regular re-testing

Reporting – Gain insight from multiple analytics tracking critical KPIs and benchmarking against industry

standards, with independent verification

Policy – Codify formal governance, risk and compliance management with executive support and policy

enforcement, including a cross-functional security committee and contractual requirements of all third

parties

Portfolio coverage – Scale to protect each and every app (including mobile) under formal vendor

management approach

An advanced Application Security program should be a critical component of an organization’s overall information

management architecture, and ultimately plays an integral role in business continuity. It is critical not only to get

started with software protection, but also to rapidly progress beyond ad hoc approaches to a framework for

continuous development of effective controls and enforceable policies. Ignoring this critical aspect of information

security leaves an organization at risk of failed regulatory audits – at best – and at worst a company can be

exposed to possible business interruption, financial losses and liability due to a crippling security breach.

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

6

Justifying an Investment in Application Security

The CISO must secure all three fundamental access points to sensitive enterprise information: the network, the

hardware… and the software that support business operations. Yet, companies spend just 0.3% of what they

pay for software on ensuring that it is secure.7 Most enterprises have widely adopted IT security tools such as

firewalls and intrusion detection to protect their networks as well as antivirus, access control and physical security

measures to secure their hardware. In a 2011 Gartner study on top security priorities, Application Security still

ranked a distant fifth after a variety of network security tools. First on the list: data loss prevention.

Ultimately, it’s up to the CISO and his or her security team to implement and verify the effectiveness of security

measures – that includes application security disciplines such as software testing, vulnerability remediation and

ongoing safe coding practices. Research and assembly of a solid business case analysis will help CISOs make a

better case for wide adoption of application security processes.

There are many sobering numbers that a CISO can employ to build the business case for greater application

security investment:

Costs of a Breach – The average cost of a single data breach has reached a staggering $5.5M per

incident, or $194 per compromised record5

Loss of Revenue/Reputation – the costs of insecure software include both hard measures like lost sales,

PR costs, customer issues – all of which figure into “total cost of recovery”

Company Valuation – Consider the recent Global Payments breach: its stock valuation dropped 9 percent

on news of the incident6

Cost to Fix – Software developers have long understood that the cost of fixing an application vulnerability

during the development or QA phases dwarfs the cost of fixing the same flaw once in production

Cost of Compliance – When asked about how security spending is justified at organizations, most C-level

IT execs rely on legal and regulatory requirements. The threats of non-compliance, fines and litigation are

still greater motivators than the threat of data loss for most companies (see Figure 3 below).8

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

7

Figure 3: Graph showing results of PwC survey on justifications for security spending from the 2012 Global State of Information Security Survey® Not all factors shown.

8

Perhaps the simplest formula for computing the risk/reward was detailed by Chris Wysopal, CTO of Veracode. His

basic financial model is:

(likelihood of a breach) X (potential impact in dollars) = (expected total loss)

Event likelihood is based on the quantity and severity of vulnerabilities present in the software portfolio plus the

likelihood that one of those flaws will be discovered and exploited. In a recent survey, 90 percent of organizations

reported a breach by hackers over the previous year.9 One can uncover flaws in the software portfolio through a

variety of testing and scanning tools. The rest of the model relies on imperfect but improving industry research

data which tracks aggregate measures of total monetary risk.

As a sustained, systemic undertaking, an application security program is a cross-functional effort between the

cybersecurity, risk management and application development teams. This reality makes funding decisions more

complicated. Software methodologies and technologies are rarely standardized – even across an organization’s

internal development teams – leading to competing agendas. However, new ROI models for application security

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

8

are emerging. For example, a survey of outsourced application suppliers reveals a mix of licensing options that

includes; per scan; per application; per flaw category; per developer; and time based pricing.

The key to positive ROI is to start small and scale over time. Any organization can get started with a basic

software testing regimen and expand with success from a single application to multiple projects. Creating a

successful deployment plan requires scoping all intended activities and associated hard and soft costs before

rolling out a chosen tool, including all staffing considerations. Organizations must create their own recipes for the

AppSec mix based upon their unique business requirements.

The Case for Application Security: Conclusion

Ongoing and well-funded investment in network- and hardware-based security solutions have proven effective in

protecting the hardware and network layers. However, these defenses are ineffective against hacks and attacks

that exploit flaws within an organization’s business applications. Many enterprises still lack adequate investment

in the protection of their critical software, the “front door” to their business. As a result, applications remain the

most vulnerable entry point for malicious actors targeting sensitive or confidential data. CISOs must prioritize their

investments in IT personnel, processes or technologies in alignment with the reality of today’s considerable

threats to the enterprise.

It’s time for increased investment in application security to protect the software that runs today's businesses.

Learn More

Veracode E-learning Course Curriculum:

http://www.veracode.com/products/veracode-elearning-curriculum.html

Application Security Solutions for Executive Team:

http://www.veracode.com/services/business-owner.html

Veracode Research:

http://www.veracode.com/reports

Application Security Webcasts:

http://www.veracode.com/webcasts

Veracode Customer Testimonials:

http://www.veracode.com/videos

WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY

9

Works Cited

1. Ponemon Institute. Perceptions About Network Security. Research rept. Juniper Networks, 2011. PDF

file.

2. Verizon. 2012 Data Breach Investigations Report. 2012. PDF file.

3. DataLossDB.org, and Open Security Foundation. "Statistics." DataLossDB. N.p., 2012. Web. 18 July

2012. <http://www.datalossdb.org/statistics>.

4. National Vulnerability Database. "Statistics." National Vulnerability Database. DHS National Cyber

Security Division/US-CERT, 2012. Web. 18 July 2012. <http://web.nvd.nist.gov/view/vuln/statistics>.

5. Ponemon Institute. 2011 Cost of Data Breach Study: United States. Research rept. Symantec, 2012. PDF

file.

6. Griffin, Donald. "Global Payments Trades Halt on Breach Probe." Businessweek. Bloomberg, 30 Mar.

2012. Web. 18 July 2012. <http://www.businessweek.com/news/2012-03-30/global-payments-trades-halt-

as-card-industry-probes-data-breach>.

7. King, Sam. "A Tale of Two Market Sizes." Veracode Blog. N.p., 7 Feb. 2012. Web. 08 Aug. 2012.

<http://www.veracode.com/blog/2012/02/a-tale-of-two-market-sizes/>.

8. PwC. 2012 Global State of Information Security Survey. Research rept. N.p.: PwC, 2012. PwC. Web. 24

July 2012. <http://www.pwc.com/gx/en/information-security-survey/giss.jhtml>.

9. Vijayan, Jaikumar. "90% of companies say they've been hacked: Survey." Computerworld. N.p., 22 June

2011. Web. 24 July 2012.

<www.computerworld.com/s/article/9217853/90_of_companies_say_they_ve_been_hacked_Survey>.

ABOUT VERACODE

Veracode is the only independent provider of cloud-based application intelligence and security

verification services. The Veracode platform provides the fastest, most comprehensive solution to

improve the security of internally developed, purchased or outsourced software applications and

third-party components. By combining patented static, dynamic and manual testing, extensive

eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-

driven application risk management programs that help identify and eradicate numerous

vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration

testing and static code analysis. Veracode delivers unbiased proof of application security to

stakeholders across the software supply chain while supporting independent audit and compliance

requirements for all applications no matter how they are deployed, via the web, mobile or in the

cloud. Veracode works with global organizations across multiple vertical industries including

Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and

the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on

Twitter: @Veracode or read the Veracode Blog.

www.veracode.com

© 2012 Veracode, Inc.

All rights reserved.